Closed Bug 1556329 Opened 4 years ago Closed 3 years ago

Assertion failure: CurrentThreadCanAccessZone(zone), at js/src/gc/Cell.h:354 with WeakMap and GC

Categories

(Core :: JavaScript: GC, defect, P1)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
mozilla69
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- unaffected
firefox69 + fixed
firefox70 --- verified

People

(Reporter: decoder, Assigned: sfink)

References

(Regression)

Details

(5 keywords, Whiteboard: [jsbugmon:update][post-critsmash-triage])

Attachments

(1 obsolete file)

The following testcase crashes on mozilla-central revision 219a897031a3 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

evalInWorker(`
  function feval(code) {
    eval(code);
  };
  feval(\`
    var sym4 = Symbol.match;
    function basicSweeping() {}
    var wm1 = new WeakMap();
    wm1.set(basicSweeping, sym4);
    startgc(100000, 'shrinking');
  \`);
`);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::gc::TenuredCell::zone (this=<optimized out>) at js/src/gc/Cell.h:354
#1  0x0000555555de4b50 in js::gc::detail::GetZone (t=...) at js/src/gc/WeakMap-inl.h:40
#2  js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value> >::markEntry (this=0x7ffff58f1e40, marker=0x7ffff58d36f8, markedCell=<optimized out>, origKey=<optimized out>) at js/src/gc/WeakMap-inl.h:136
#3  0x0000555556037fa1 in js::GCMarker::enterWeakMarkingMode (this=this@entry=0x7ffff58d36f8) at js/src/gc/Marking.cpp:2600
#4  0x00005555560815b6 in js::gc::GCRuntime::markWeakReferences<js::gc::SweepGroupZonesIter> (this=this@entry=0x7ffff58d26a8, phase=phase@entry=js::gcstats::PhaseKind::SWEEP_MARK_WEAK, budget=...) at js/src/gc/GC.cpp:4601
#5  0x0000555556038795 in js::gc::GCRuntime::markWeakReferencesInCurrentGroup (budget=..., phase=js::gcstats::PhaseKind::SWEEP_MARK_WEAK, this=0x7ffff58d26a8) at js/src/gc/GC.cpp:4634
#6  js::gc::GCRuntime::endMarkingSweepGroup (this=0x7ffff58d26a8, fop=<optimized out>, budget=...) at js/src/gc/GC.cpp:5503
#7  0x000055555608a330 in sweepaction::SweepActionSequence<js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run (this=0x7ffff53354c0, args#0=0x7ffff58d26a8, args#1=0x7ffff68fc630, args#2=...) at js/src/gc/GC.cpp:6501
#8  0x000055555608cb4a in sweepaction::SweepActionRepeatFor<js::gc::SweepGroupsIter, JSRuntime*, js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run (this=0x7ffff5320c40, args#0=0x7ffff58d26a8, args#1=0x7ffff68fc630, args#2=...) at js/src/gc/GC.cpp:6561
#9  0x0000555556037bfc in js::gc::GCRuntime::performSweepActions (this=this@entry=0x7ffff58d26a8, budget=...) at js/src/gc/GC.cpp:6733
#10 0x000055555604e9f6 in js::gc::GCRuntime::incrementalSlice (this=this@entry=0x7ffff58d26a8, budget=..., reason=reason@entry=JS::GCReason::DEBUG_GC, session=...) at js/src/gc/GC.cpp:7262
#11 0x000055555604f4a3 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff58d26a8, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::GCReason::DEBUG_GC) at js/src/gc/GC.cpp:7628
#12 0x000055555604fb4c in js::gc::GCRuntime::collect (this=this@entry=0x7ffff58d26a8, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::GCReason::DEBUG_GC) at js/src/gc/GC.cpp:7808
#13 0x00005555560519f5 in js::gc::GCRuntime::startDebugGC (this=this@entry=0x7ffff58d26a8, gckind=GC_SHRINK, budget=...) at js/src/gc/GC.cpp:7956
#14 0x0000555555c4b835 in StartGC (cx=<optimized out>, cx@entry=0x7ffff58d8000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1277
#15 0x0000555555911d9f in CallJSNative (cx=0x7ffff58d8000, native=native@entry=0x555555c4b790 <StartGC(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:448
[...]
#30 0x000055555587ed95 in WorkerMain (input=<optimized out>) at js/src/shell/js.cpp:4087
[...]
#34 0x00007ffff6c2c41d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax	0x555557d44000	93825034108928
rbx	0x7ffff5f3d000	140737319784448
rcx	0x555556bccd08	93825015794952
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7ffff68fc230	140737330004528
rsp	0x7ffff68fc220	140737330004512
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff68ff700	140737330018048
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7ffff68fc270	140737330004592
r13	0x7ffff68fc260	140737330004576
r14	0x7ffff68fc250	140737330004560
r15	0x7ffff58d36f8	140737313060600
rip	0x55555590d1f9 <js::gc::TenuredCell::zone() const+89>
=> 0x55555590d1f9 <js::gc::TenuredCell::zone() const+89>:	movl   $0x0,0x0
   0x55555590d204 <js::gc::TenuredCell::zone() const+100>:	ud2

Marking s-s because this involves GC.

Steve, I saw this was possibly weakmap related, could help look into this bug.

Flags: needinfo?(sphink)

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/37f9bd277c34
user: Steve Fink
date: Fri May 31 23:33:48 2019 +0000
summary: Bug 1167452 - Barrier weakmap operations and maintain weak keys table during incremental collections. r=jonco

Steve, is bug 1167452 a likely regressor?

Regressed by: 1167452
Component: JavaScript Engine → JavaScript: GC
Priority: -- → P1
Assignee: nobody → sphink
Flags: needinfo?(sphink)

Can we close this now that bug 1167452 has been backed out?

Flags: needinfo?(sphink)
Type: task → defect
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

(In reply to Ryan VanderMeulen [:RyanVM] from comment #4)

Can we close this now that bug 1167452 has been backed out?

Yes. I'll incorporate the fix into the eventual landing. Shouldn't be later than the year 2038 or so. :-)

I have no idea what status to use here.

Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(sphink)
Resolution: --- → INVALID

Let's just say fixed by backout :)

Resolution: INVALID → FIXED
Target Milestone: --- → mozilla69
Group: javascript-core-security → core-security-release
Flags: qe-verify-
Whiteboard: [jsbugmon:update] → [jsbugmon:update][post-critsmash-triage]
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security-release
Attachment #9071475 - Attachment is obsolete: true
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.